SRU of LXC 3.0.2 (upstream bugfix release)

Bug #1788457 reported by Stéphane Graber on 2018-08-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Status tracked in Cosmic
Xenial
High
Stéphane Graber
Bionic
High
Stéphane Graber
Cosmic
High
Stéphane Graber

Bug Description

LXC upstream released LXC 3.0.2 as a bugfix release with following changelog:
    - CVE 2018-6556: verify netns fd in lxc-user-nic
    - fixed a range of bugs found by Coverity
    - lxc-usernsexec: cleanup and bugfixes
    - log: add CMD_SYSINFO()
    - log: add CMD_SYSERROR()
    - state: s/sleep()/nanosleep()/
    - lxclock: improve file locking
    - lxccontainer: improve file locking
    - lxccontainer: fix F_OFD_GETLK checks
    - netlink: add __netlink_{send,recv,transaction}
    - netns: allocate network namespace id
    - MAINTAINERS: add Wolfgang Bumiller
    - pam_cgfs: cleanups
    - log: add default log priority
    - tree-wide: pass unsigned long to prctl()
    - macro: add new macro header
    - conf: mount devpts without “max” on EINVAL
    - tree-wide: handle EINTR in read() and write()
    - tree-wide: replace pipe() with pipe2()
    - confile: split mount options into flags and data
    - conf: improve rootfs setup
    - autotools: default to -Wvla -std=gnu11
    - tree-wide: remove VLAs
    - tree-wide: replace strtok_r() with lxc_iterate_parts()
    - utils: add lxc_iterate_parts()
    - apparmor: allow start-container to change to lxc-**
    - apparmor: update current profiles
    - apparmor: Allow /usr/lib* paths for mount and pivot_root
    - conf: the atime flags are locked in userns
    - conf: handle partially functional device nodes
    - conf: create /dev directory
    - autotools: build both a shared and static liblxc
    - namespace: add api to convert namespaces to standard identifiers
    - tree-wide: set MSG_NOSIGNAL
    - tree-wide: use mknod() to create dummy files
    - cgfsng: respect lxc.cgroup.use
    - cgroups: remove is_crucial_cgroup_subsystem()
    - tree-wide: remove unneeded log prefixes
    - tests: cleanup all tests
    - terminal: set FD_CLOEXEC on pty file descriptors
    - conf: simplify lxc_setup_dev_console()
    - tools: rework tools
    - autodev: adapt to changes in Linux 4.18
    - log: change DEBUG, INFO, TRACE, NOTICE macro using strerror to SYS* macro
    - log: add lxc_log_strerror_r macro
    - network: unpriv lxc will run lxc.net.[i].script.up now
    - conf: only use newuidmap and newgidmap when necessary
    - autotools: support tls in cross-compile

Just like Ubuntu itself, upstream releases long term support releases, as is 3.0 and then periodic point releases including all the accumulated bugfixes.

Only the latest upstream release gets full support from the upstream developers, everyone else is expected to first update to it before receiving any kind of support.

This should qualify under the minor upstream bugfix release allowance of the SRU policy, letting us SRU this without paperwork for every single change included in this upstream release.

Once the SRU hits -updates, we will be backporting this to xenial-backports as well, making sure we have the same version everywhere.

[Test case]
lxc has autopkgtests which will assert that the binaries built in -proposed are functional.

Changed in lxc (Ubuntu Xenial):
status: New → Triaged
Changed in lxc (Ubuntu Bionic):
status: New → Triaged
Changed in lxc (Ubuntu Cosmic):
status: New → Triaged
Changed in lxc (Ubuntu Xenial):
importance: Undecided → High
Changed in lxc (Ubuntu Bionic):
importance: Undecided → High
Changed in lxc (Ubuntu Cosmic):
importance: Undecided → High
Changed in lxc (Ubuntu Xenial):
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Bionic):
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Cosmic):
assignee: nobody → Stéphane Graber (stgraber)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 3.0.2-0ubuntu4

---------------
lxc (3.0.2-0ubuntu4) cosmic; urgency=medium

  * Cherry-pick upstream fixes:
    - 0024-commands-return-1-on-lxc_cmd_get_init_pid-err.patch

 -- Stéphane Graber <email address hidden> Sat, 25 Aug 2018 00:49:17 -0400

Changed in lxc (Ubuntu Cosmic):
status: In Progress → Fix Released
Stéphane Graber (stgraber) wrote :

Upload to bionic-updates

Changed in lxc (Ubuntu Bionic):
status: Triaged → In Progress

Hello Stéphane, or anyone else affected,

Accepted lxc into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/3.0.2-0ubuntu1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Changed in lxc (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Stéphane Graber (stgraber) wrote :

I've confirmed the the update happens smoothly, that existing containers can be interacted with just fine and that newly started containers work too.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :
Download full text (3.8 KiB)

This bug was fixed in the package lxc - 3.0.2-0ubuntu1~18.04.1

---------------
lxc (3.0.2-0ubuntu1~18.04.1) bionic; urgency=medium

  * New upstream bugfix release (LP: #1788457):
    - CVE 2018-6556: verify netns fd in lxc-user-nic
    - fixed a range of bugs found by Coverity
    - lxc-usernsexec: cleanup and bugfixes
    - log: add CMD_SYSINFO()
    - log: add CMD_SYSERROR()
    - state: s/sleep()/nanosleep()/
    - lxclock: improve file locking
    - lxccontainer: improve file locking
    - lxccontainer: fix F_OFD_GETLK checks
    - netlink: add __netlink_{send,recv,transaction}
    - netns: allocate network namespace id
    - MAINTAINERS: add Wolfgang Bumiller
    - pam_cgfs: cleanups
    - log: add default log priority
    - tree-wide: pass unsigned long to prctl()
    - macro: add new macro header
    - conf: mount devpts without “max” on EINVAL
    - tree-wide: handle EINTR in read() and write()
    - tree-wide: replace pipe() with pipe2()
    - confile: split mount options into flags and data
    - conf: improve rootfs setup
    - autotools: default to -Wvla -std=gnu11
    - tree-wide: remove VLAs
    - tree-wide: replace strtok_r() with lxc_iterate_parts()
    - utils: add lxc_iterate_parts()
    - apparmor: allow start-container to change to lxc-**
    - apparmor: update current profiles
    - apparmor: Allow /usr/lib* paths for mount and pivot_root
    - conf: the atime flags are locked in userns
    - conf: handle partially functional device nodes
    - conf: create /dev directory
    - autotools: build both a shared and static liblxc
    - namespace: add api to convert namespaces to standard identifiers
    - tree-wide: set MSG_NOSIGNAL
    - tree-wide: use mknod() to create dummy files
    - cgfsng: respect lxc.cgroup.use
    - cgroups: remove is_crucial_cgroup_subsystem()
    - tree-wide: remove unneeded log prefixes
    - tests: cleanup all tests
    - terminal: set FD_CLOEXEC on pty file descriptors
    - conf: simplify lxc_setup_dev_console()
    - tools: rework tools
    - autodev: adapt to changes in Linux 4.18
    - log: change DEBUG, INFO, TRACE, NOTICE macro using strerror to SYS* macro
    - log: add lxc_log_strerror_r macro
    - network: unpriv lxc will run lxc.net.[i].script.up now
    - conf: only use newuidmap and newgidmap when necessary
    - autotools: support tls in cross-compile

  * Cherry-pick upstream fixes:
    - 0002-tools-fix-lxc-execute-command-parsing.patch
    - 0003-lseek-integer-overflow.patch
    - 0004-cmd-lxc-usernsexec-reorder-includes.patch
    - 0005-cmd-move-declarations-to-macro.h.patch
    - 0006-cmd-use-utils.-c-h-helpers-in-lxc-usernsexec.patch
    - 0007-cmd-simplify-lxc-usernsexec.patch
    - 0008-cmd-use-safe-number-parsers-in-lxc-usernsexec.patch
    - 0009-tools-Indicate-container-startup-failure.patch
    - 0010-conf-fix-path-lxcpath-mixups-in-tty-setup.patch
    - 0011-cmd-use-goto-for-cleanup-in-lxc-usernsexec.patch
    - 0012-utils-split-into-file-string-_utils.-c-h.patch
    - 0013-pam_cgfs-build-from-the-same-sources-as-liblxc.patch
    - 0014-conf-fix-devpts-mounting-when-fully-unprivileged.patch
    - 0015-macro-s-rexit-_exit-g.patch
    - 0016-Makefile-don-t-allow-undefin...

Read more...

Changed in lxc (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lxc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers